Cisco has warned of a high-severity zero-day security vulnerability affecting its networking devices.
In an advisory published Saturday, the company said the new security flaw affects its Internetwork Operating System (IOS), which ships with its networking gear. Cisco said the flaw was being actively exploited as recently as last week and that it’s still in the process of developing a patch.
The networking device manufacturer said the flaw, dubbed the CVE-2020-3566 exploitation, could enable an unauthorized party to remotely execute an attack that exhausts process memory and creates instability in other processes running on the device.
"The vulnerability is due to insufficient queue management for Internet Group Management Protocol (IGMP) packets,” Cisco explained. “An attacker could exploit this vulnerability by sending crafted IGMP traffic to an affected device.”
Exploitation attempts discovered
Cisco said it discovered exploitation attempts last week but didn’t provide details on what, if anything, the exploit attempts accomplished. The company only said what the flaw could allow an attacker to do.
“A successful exploit could allow the attacker to cause memory exhaustion, resulting in instability of other processes,” the company said. “These processes may include, but are not limited to, interior and exterior routing protocols."
Although Cisco didn’t provide an estimate of when a patch will be released, it did promise that one is on the way.
While a patch is in the works, the company is urging users to rely on mitigation techniques, such as implementing either a rate limiter or an access control entry to an existing interface access control list. Details of these defensive strategies can be found in the company’s security advisory.